⚠️Actor mass exploiting unknown Fortinet exploit (FortiWeb path traversal / API exploitation) from 107.152.41.19 🇺🇸 ( TZULO ) VirusTotal Detections 0/95 🟢 After the exploit, the actor attempted to login using the newly created username-credential pair 🔐

⚠ Multiple IPs mass exploiting unknown Fortinet exploit (FortiWeb path traversal / API exploitation) The exploit aims at creating a user with the user-password combination Testpoint:AFT3$tH4ckmet0d4yaga!n 🔐 IPs involved in this exploit: 185.192.70.39 185.192.70.55

Some heightened activity on WSUS / CVE-2025-59287 during the last few days, put one of the payloads into a gist if someone is interested: https://t.co/ttzcTuh9V4

Patching Motivation of the Day 👇 Actor repeatedly hammering the CVE-2025-25257 exploit onto our Fortiweb honeypots with a DROP TABLE payload 213.209.143.41 just wants to watch the world burn! 🔥

Check the full ransomware vulnerabilities list 👉 https://t.co/u6qdjtw4Kt

Ransomware vulns with highest exploit likelihood ⬆️ (past 30d): - CVE-2025-61882 (Oracle E-Busine..) +186086.05% - CVE-2021-27877 (Veritas Veritas..) +879.54% - CVE-2023-20269 (ASA..) +302.13% - CVE-2023-20269 (FTD..) +302.13% - CVE-2025-29824 (CLFS..) +289.16%

Weekend of the F5 exploits... seeing like a 5-10x rate of exploitation to normal in the past 24 hrs Some actor is spraying known exploits like crazy (even old ones like CVE-2020-5902) @GreyNoiseIO has an interesting wpaper about how exploit spikes can predict new CVEs 👇

Cybercrime identified by @DefusedCyber

🚨Major exploit sweep targetting F5 BIG-IP ongoing A set of 10 IP addresses exploited CVE-2022-1388 on multiple of our F5 honeypots within the span of an hour F5 was recently breached, with breached data including previously unknown software vulnerabilities. Large-scale

Actor exploiting CVE-2023-27997 (Fortinet buffer overflow) from 170.247.220.25 🇺🇸 ( My Tech ) VirusTotal Detections: 0/95 🟢 This actor was recently mass probing Palo Alto devices for authentication pathways 🍯

🎃 Going live in 30 minutes! Atomics on a Friday: Night of the Living Indicators - join us for live emulations, haunted artifacts, and MCP mayhem. See you there… or on the recording. 👻⚛️ Twitch: https://t.co/54yXPSVO42 X Linkedin YT:

A couple more days to deploy a FortiWeb decoy / honeypot for FREE 👉 https://t.co/GXFaqghsXI New tiers launching next week 🍯

Actor exploiting CVE-2025-25257 (FortiWeb SQLi) from 172.96.141.66 🇺🇸 (RELIABLESITE) VT Detections: 0/95 🟢 Payload in Authorization: Bearer header 📸 select/**/a/**/from/**/fabric_user.a/**/into/**/outfile/**/var/log/lib/python3.10/pylab.py'/**/FIELDS/**/ESCAPED/**/BY/**/

Baddies using infra hosted in the USA to attack CISCO ASAs! (thanks @DefusedCyber and @ipinfo )

A large scale sweep targetting Palo Alto (/global-protect/prelogin.esp & /ssl-vpn/prelogin.esp) This is recon activity used in MFA bypass attempts if I'm not mistaken. 170.247.220.25 143.137.166.65 170.247.222.234 170.231.251.212 All clean IPs from VT / GN

Other activity from the same actor

How attackers rapidly switch IP addresses during exploits 👇 This attacker exploits CVE-2023-46747 to add an admin account to a F5 BIG-IP honeypot, and immediately logs on from a different IP address using the new credentials 185.167.60.154 🇫🇷 ( LIMESTONENETWORKS ) VT 0/95 🟢

Dataset of 81k Cisco exploit (login bruteforce / CVE-2022-20759) attempts from past 7 days IPS associated: https://t.co/huedR0zZWG Username-pass combos:

Actor exploiting multiple Fortinet Fortiweb honeypots from 185.253.163.82 🇺🇸( M247 Europe SRL ) VirusTotal Detections 0/95 🟢 The actor exploited CVE-2025-25257 on multiple Fortiweb honeypots, plus attempted logging in as administrator

Tune in on Friday to @AtomicsonaFri for some Defused fun! 🍯